fkeeper - intelligent filesystem guard
1. INTRODUCTION
Intelligent Filesystem Guard is a tool that monitors information about changes in the files and directories. This program can be used either for the detection of changes in the important files (Intrusion Detection System guarding the data integrity - viruses, Trojan horses) or for guarding the user data. A large emphasis is put on monitoring files. One of the functions of this system is to tell what happened with the file according to a user query. The system is able to warn of whichever change, that means modification, creation, erasure or move.
2. PREREQUISITES
In order to be able to compile the code you need to have OpenSSL (>= 0.9.7), pcre (>= 6.4), pcrecpp wrapper and flex (>= 2.5) installed.
3. INSTALL
Use command sequence:
$ tar xzvf fkeeper-1.0.tar.gz
$ cd fkeeper
$ gmake
Executable file "fkeeper" will be created in source directory. Finally you have to run this command as root:
# gmake install
4. UNINSTALL
Simply use command:
# gmake uninstall
Warning: this command removes indexation database too. If you don't want this
bahavior, you have to backup database first and then run uninstall
command.
5. EXAMPLES
Fkeeper uses its configuration file (/etc/fkeeper.conf). You should read it and modify some parts. Database files are stored in /var/fkeeper directory.
5.1 To see short description of fkeeper paramaters use:
$ fkeeper --help
5.2 To start indexation of filesystem use:
# fkeeper -i
Only root can do this. It is recommended to run indexation process from cron daemon.
5.3 To view all records about concrete file/directory try:
$ fkeeper -f /full/path/to/file
5.4 To view all records about concrete file/directory (entered by regular
expression) use:
$ fkeeper -r regular_expression
5.5 To execute full database query use:
$ fkeeper -q query
For query description see section 6.
5.6 To start interactive (command line) mode try:
$ fkeeper -m
and then enter 'help' command.
6. QUERY LANGUAGE
Fkeeper uses own query language. It is similar to expression in C.
6.1 SHORT EXAMPLE
NAME == "^/home/jan/.*" && IS_FILE == 1 && (MTIME < 10d || (ERASE_TIME < 23h && IS_MOVED_TO == ""))
This expression means: all files with "^/home/jan/.*" name (regexp) and were modified in last 10 days or were deleted in last 23 hours.
6.2 DESCRIPTION OF EXPRESSION
Each expression is composed from subexpressions concatenated by logical operators (&& and ||).
Each subexpression has left side followed by relation operator (==, <, >, <=, >=). Subexpression is ended by right side.
Left side of subexpression is identifier and right side is literal.
Types of literals:
- integer "time" literal, examples: 5d, 2m, 100s
- integer decimal literal, examples: 50000, 2, 45
- integer octal literal, examples: 02755, 0644
- integer "size" literal, examples: 20MB, 30kB, 1024B
- string literal, examples: "/usr/bin", "/etc/.tab."
Identifiers in subexpression with time literal on the right side:
CREATION_TIME beginning time of the item occurence in database
ERASE_TIME ending time of the item occurence in database
EVENT_TIME time of event
ATIME access time
MTIME modification time
CTIME creation time
Identifiers in subexpression with decimal literal on the right side:
OWNER owner of item
GROUP group which item belongs to
IS_DIR item is directory
IS_FILE item is file
USER_CAN_READ user can read
USER_CAN_WRITE user can write
USER_CAN_EXECUTE user can execute
GROUP_CAN_READ member of group can read
GROUP_CAN_WRITE member of group can write
GROUP_CAN_EXECUTE member of group can execute
OTHER_CAN_READ others can read
OTHER_CAN_WRITE others can write
OTHER_CAN_EXECUTE others can execute
IS_SUID set-uid-bit is set
IS_SGID set-gid-bit is set
IS_STICKY sticky-bit is set
Identifiers in subexpression with octal literal on the right side:
PERM item permissions
Identifiers in subexpression with size literal on the right side:
SIZE item size
Identifiers in subexpression with size literal on the right side:
NAME item name
IS_MOVED_FROM item is moved from location
IS_MOVED_TO item is moved to location
OWNER owner of item
GROUP group which item belongs to